We are super excited for TROOPERS18 (March 12-16th, 2018) as are many of you! We even have this great saying that “after TROOPERS is before TROOPERS”, which means we spend a lot of time looking through feedback from attendees, speakers/trainers, and our own Crew for ways to not only top what we’ve done in the years before, but also how to simply make it better for everyone involved. Looking around at our Crew we realized how many have either attended TROOPERS or other conferences as students. We heard from them, as well as other students, how life changing it was to be able, as a student, to attend an IT-Security conference. How they got to meet a speaker whose work they’d read about in class. How people felt even more a part of the community they were studying hard to belong to. Continue reading “TROOPERS for Students!”
Continue readingPosition Paper on an Enterprise Organization’s IPv6 Address Strategy
A while ago I wrote a short paper laying out options for an enterprise organization to get global IPv6 address space from the RIPE NCC, discussing the advantages and disadvantages of different approaches. As I think the topic may be of interest for others, too, I’ve distilled an anonymized version. It can be found here. I hope some of you find it useful.
Cheers, Enno
Continue readingErlang distribution RCE and a cookie bruteforcer
In one of the last pentests we’ve found an epmd (Erlang port mapper daemon) listening on a target system (tcp/4369). It is used to coordinate distributed erlang instances, but also can lead to a RCE, given one knows the so called “authentication cookie”. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start. If not modified or set manually it is a random string [A:Z] with a length of 20 characters. If an attacker gains this cookie, a RCE is quite easy – as I like to describe below.
Continue reading “Erlang distribution RCE and a cookie bruteforcer”
Continue readingReading the BlueCoat FileSystem
You may remember our last post regarding the SGOS system and the proprietary file system. Since then, we got access to a newer version of the system (6.6.4.2). Still not the most current one (which seems to be 6.7.1.1) nor of the 6.6.x branch (which seems to be 6.6.5.1) though. As this system version also used the same proprietary filesystem (although it initially booted from a FAT32 partition), I decided to take a deeper look into this.
Continue reading “Reading the BlueCoat FileSystem”
Continue readingDaycon X1
This is my short write up on Daycon X1, 2017. The summit was held at Dayton, the land where Wright brothers were born. Apart from being my first US trip, I also gave my first training on Hacking 101 also called the Bootcamp.
Continue readingRIPE IoT Roundtable Meeting / Balanced Security for IPv6 CPE Revisited
Last week I had the pleasure to participate at the first RIPE IoT Roundtable Meeting in Leeds (thanks! to Marco Hogewoning for organising it). It was a day with many fruitful discussions. I particularly enjoyed Robert Kisteleki‘s talk on RIPE NCC’s own design & (security) process considerations in the context of RIPE Atlas (at TR17 NGI there was an intro to Atlas, too).
In this post I’d like to quickly lay out the main points of my own contribution on “Balanced Security for IPv6 CPE Revisited” (the slides can be found here).
Continue reading “RIPE IoT Roundtable Meeting / Balanced Security for IPv6 CPE Revisited”
Continue readingHITCON CMT 2017
Some of our Troopers had the chance to visit HITCON conference in Taiwan this year. There are two main events: HITCON Pacific, which is aimed more at corporate attendees and HITCON CMT, the community edition, which aims at students and the general Infosec community. HITCON is the biggest security conference in Taiwan.
Continue reading “HITCON CMT 2017”
Continue readingAn Update of PenTesting Tools that (do not) Support IPv6
As you may remember, back in 2014 we published a whitepaper (compiled by Antonis Atlasis) on the support of IPv6 in different pentesting tools. This is almost three years ago and we thought it is time for an update. In short not much has changed. Most of the tools which didn’t support IPv6 are still not supporting it or haven’t got any update since then.
This post will cover the tools where we could identify some progress on supporting IPv6.
Continue reading “An Update of PenTesting Tools that (do not) Support IPv6”
Continue readingFireEye Security Bug: Connection to physical host and adjacent network possible during analysis in Live-Mode
We recently identified a security issue in FireEye AX 5400, that also affected other products. We responsibly disclosed the bug to FireEye and a fix that addresses the issue has been released with version 7.7.7. The fix was also merged into the common core and is available as 8.0.1 for other products (i.e. FireEye EX).
The related release notes can be found here:
- https://docs.fireeye.com/docs/docs_en/AX/sw/7.7.7/RN/AX_RN_7.7.7_en.pdf
- https://docs.fireeye.com/docs/docs_en/EX/sw/8.0.1/RN/EX_RN_8.0.1_en.pdf
FireEye announced to post a 2017 Q3 notice with credit to us, too.
Continue readingDFRWS USA 2017
As mentioned in my last blogpost, I had the pleasure to participate in this years DFRWS USA and present our paper. The paper and presentation can be freely viewed and downloaded here or here. Note that there is also an extended version of the paper, which can be downloaded here.
The keepassx, zsh and heap analysis plugins are now also part of the Rekall release candidate 1.7.0RC1, so it’s easier to get started.
The conference had some great talks and workshops, which I’m going to briefly sum up.
Continue reading “DFRWS USA 2017”